Jeep Hack Shows Why the DMCA Must Get Out of the Way of Vehicle Security Research

Security researchers Charlie Miller and Chris Valasek have once again exposed automobile security flaws that allow attackers to take over a vehicle’s crucial systems. In their latest work, they learned how an attacker could remotely control a carover the Internet.

Vehicle manufacturers dismissed prior warnings about flawed security by claiming [PDF] that the exploits relied on physical access to the car. But it has long been known that vehicles’ wireless systems (such as Bluetooth) contain vulnerabilities that would allow a malicious hacker to gain access to critical vehicle functions.

Miller and Valasek took it one step further, revealing one dramatic way that drivers have been left vulnerable in manufacturers’ race to connect vehicles to the Internet. This particular vulnerability relates to Chrysler’s Uconnect system, but it would be naive to imagine that no other vehicles have similar vulnerabilities.

One major reason that serious vulnerabilities have gone undisclosed and unfixed is that laws like Section 1201 of the Digital Millennium Copyright Act chill independent security research. That’s why we filed for an exemption to Section 1201 that would specifically protect security and safety research on vehicle software from DMCA liability. The automakers showed up in force to oppose it (including the “Auto Alliance” trade group, of which Fiat Chrysler is a member), arguing that there was no need for independent security research and that they had the legal right to shut it down – even when researchers only look at code on vehicles they own. We think Miller, Valasek, and other researchers have amply shown the need for independent vehicle security research.

We also asked for a second DMCA exemption for vehicle software, one that would allow competition in the vehicle software space (as well as repairs and customization). If that exemption is granted, an alternative software provider could enter the market to secure your vehicle and you might decide you have more faith in them than in the original manufacturer (or they might offer better functionality, or they might protect your privacy against invasive data collection by auto manufacturers). We would at least see the possibility of competition leading to better practices and spurring innovation among manufacturers.

The Librarian of Congress will issue a final rule this Fall and we are hopeful that he will grant exemptions that bring greater legal certainty to important research and remove Section 1201 as a barrier to innovation, competition, and user choice.

Related Updates

Washington, D.C.—The Electronic Frontier Foundation won petitions submitted to the Library of Congress that will make it easier for people to legally remove or repair software in the Amazon Echo, in cars, and in personal digital devices, but the library refused to issue the kind of broad, simple and robust...

Update December 4, 2018: The Supreme Court denied certiorari in this case today. That means that the Second Circuit’s ruling will stand. We are disappointed that the Supreme Court did not fix the lower court’s error and hope that the decision does not lead to further erosion of...

H.R. 1695 Would Turn an Essential, Non-political Job Into a Partisan Appointee If we’ve learned one thing from this year in American politics, it’s that presidential appointments can be a messy affair. Debates over appointees can become extremely polarized. It’s not surprising: it’s in the President’s best interests to choose...

The European Copyright Directive vote is in three days and it will be a doozy: what was once a largely uncontroversial grab bag of fixes to copyright is now a political firestorm, thanks to the actions of Axel Voss, the German MEP who changed the Directive at the last minute...

In July, millions of Europeans called on the Members of European Parliament (MEPs) to vote down a proposal that would impose copyright filters on European social media, and create a new power for newspapers to charge or sue anyone linking to their news stories. The MEPs listened to that call...

San Francisco – A federal appeals court today ruled that industry groups cannot control publication of binding laws and standards. This decision protects the work of Public.Resource.org (PRO), a nonprofit organization that works to improve access to government documents. PRO is represented by the Electronic Frontier Foundation (EFF), the law...

As we reported last week, JURI, the key European Parliamentary committee working on copyright reform, voted on June 20th to support compulsory copyright filters for media platforms (Article 13), and to create a new requirement on websites to obtain a license before linking to news...

SAN FRANCISCO - Stephanie Lenz and Universal Music Publishing Group (UMPG) today announced they have amicably resolved Lenz v. Universal, the widely followed litigation sometimes referred to as the “Dancing Baby” case. Lenz filed her complaint in 2007, after UMPG requested the removal of a video in which Lenz’s then-toddler...

Litigation can always take twists and turns, but when EFF filed a lawsuit against Universal Music Group in 2007 on behalf of Stephanie Lenz, few would have anticipated it would be ten years until the case was finally resolved. But today, at last, it is. Along the way, Lenz...